def __manage_cookies_post_response(session, response):
if session.remove_cookies:
clear_cookies(response)
else:
access_token = session.new_access_token_info
if access_token is not None:
attach_access_token_to_cookie(
response, access_token['token'], access_token['expiry'],
access_token['domain'] if 'domain' in access_token else None,
access_token['cookiePath'], access_token['cookieSecure'],
access_token['sameSite'])
refresh_token = session.new_refresh_token_info
if refresh_token is not None:
attach_refresh_token_to_cookie(
response, refresh_token['token'], refresh_token['expiry'],
refresh_token['domain'] if 'domain' in refresh_token else None,
refresh_token['cookiePath'], refresh_token['cookieSecure'],
refresh_token['sameSite'])
id_refresh_token = session.new_id_refresh_token_info
if id_refresh_token is not None:
attach_id_refresh_token_to_cookie_and_header(
response, id_refresh_token['token'],
id_refresh_token['expiry'], id_refresh_token['domain']
if 'domain' in id_refresh_token else None,
id_refresh_token['cookiePath'],
id_refresh_token['cookieSecure'], id_refresh_token['sameSite'])
anti_csrf_token = session.new_anti_csrf_token
if anti_csrf_token is not None:
attach_anti_csrf_header(response, anti_csrf_token)
def refresh_session(response):
save_frontend_info_from_request(request)
refresh_token = get_refresh_token_from_cookie(request)
if refresh_token is None:
clear_cookies(response)
raise_unauthorised_exception('Missing auth tokens in cookies. Have you set the correct refresh API path in '
'your frontend and SuperTokens config?')
try:
anti_csrf_token = get_anti_csrf_header(request)
new_session = session_helper.refresh_session(refresh_token, anti_csrf_token)
access_token = new_session['accessToken']
refresh_token = new_session['refreshToken']
id_refresh_token = new_session['idRefreshToken']
session = Session(access_token['token'], new_session['session']['handle'], new_session['session']['userId'],
new_session['session']['userDataInJWT'], response)
if response is not None:
attach_access_token_to_cookie(
response,
access_token['token'],
access_token['expiry'],
access_token['domain'] if 'domain' in access_token else None,
access_token['cookiePath'],
access_token['cookieSecure'],
access_token['sameSite']
)
attach_refresh_token_to_cookie(
response,
refresh_token['token'],
refresh_token['expiry'],
refresh_token['domain'] if 'domain' in refresh_token else None,
refresh_token['cookiePath'],
refresh_token['cookieSecure'],
refresh_token['sameSite']
)
attach_id_refresh_token_to_cookie_and_header(
response,
id_refresh_token['token'],
id_refresh_token['expiry'],
id_refresh_token['domain'] if 'domain' in id_refresh_token else None,
id_refresh_token['cookiePath'],
id_refresh_token['cookieSecure'],
id_refresh_token['sameSite']
)
if 'antiCsrfToken' in new_session and new_session['antiCsrfToken'] is not None:
attach_anti_csrf_header(response, new_session['antiCsrfToken'])
else:
session.new_access_token_info = access_token
session.new_refresh_token_info = refresh_token
session.new_id_refresh_token_info = id_refresh_token
if 'antiCsrfToken' in new_session and new_session['antiCsrfToken'] is not None:
session.new_anti_csrf_token = new_session['antiCsrfToken']
return session
except (SuperTokensTokenTheftError, SuperTokensUnauthorisedError) as e:
clear_cookies(response)
raise e
def get_session(response, enable_csrf_protection):
save_frontend_info_from_request(request)
id_refresh_token = get_id_refresh_token_from_cookie(request)
if id_refresh_token is None:
clear_cookies(response)
raise_unauthorised_exception('id refresh token is missing in cookies')
access_token = get_access_token_from_cookie(request)
if access_token is None:
raise_try_refresh_token_exception('access token missing in cookies')
try:
anti_csrf_token = get_anti_csrf_header(request)
new_session = session_helper.get_session(access_token, anti_csrf_token, enable_csrf_protection)
if 'accessToken' in new_session:
access_token = new_session['accessToken']['token']
session = Session(access_token, new_session['session']['handle'], new_session['session']['userId'],
new_session['session']['userDataInJWT'], response)
if 'accessToken' in new_session:
if response is not None:
access_token_info = new_session['accessToken']
attach_access_token_to_cookie(
response,
access_token_info['token'],
access_token_info['expiry'],
access_token_info['domain'] if 'domain' in access_token_info else None,
access_token_info['cookiePath'],
access_token_info['cookieSecure'],
access_token_info['sameSite']
)
else:
session.new_access_token_info = new_session['accessToken']
return session
except SuperTokensUnauthorisedError as e:
clear_cookies(response)
raise e
def handle_token_theft(e):
response = make_response(
self.__token_theft_detected_callback(
e.session_handle, e.user_id))
clear_cookies(response)
return response
def handle_unauthorised(e):
response = make_response(self.__unauthorised_callback(e))
clear_cookies(response)
return response
def __clear_cookies(self):
clear_cookies(self.__response)